Tabletop Exercise Scenarios: 5 Templates Your Team Can Run Today

Tabletop exercises (TTX) are the single most effective tool for improving incident response readiness. They cost almost nothing to run, they expose critical gaps that no document review can find, and they build the muscle memory your team needs when a real incident hits at 3 AM on a holiday weekend. Yet most organizations either don't run them at all or run them so infrequently that the benefits never compound.

The most common excuse? "We don't have a good scenario." That ends here. Below are five complete tabletop exercise scenarios, each with a realistic setup, progressive injects that escalate pressure and complexity, discussion questions for the facilitator, and specific learning objectives. These scenarios are designed for teams of 6–15 participants and can be run in 2–4 hours with minimal preparation.

How to Run a Tabletop Exercise

Before diving into the scenarios, a brief guide on running an effective TTX. The quality of your exercise depends as much on facilitation as on the scenario itself.

Roles

• Facilitator — Runs the exercise. Presents the scenario, introduces injects at appropriate moments, keeps discussion on track, and manages time. The facilitator should be someone who understands incident response but is not playing a role in the exercise. An external facilitator can be particularly effective because they have no stake in existing team dynamics.
• Participants — Should represent every function involved in real incident response. At minimum: IR/SOC team lead, IT operations, legal counsel, communications/PR, and at least one executive decision-maker. For maximum value, include HR (especially for insider threat scenarios), finance (for BEC scenarios), and key business unit leaders.
• Scribe — Dedicated note-taker who documents every decision, action item, assumption, and point of confusion. The scribe's notes become the foundation of the post-exercise improvement plan.

Ground Rules

• No blame — The exercise is about finding gaps, not assigning fault. If someone doesn't know what to do, that's a gap the exercise is designed to find.
• Stay in role — Participants should respond as they would in a real incident, with the knowledge and authority their actual role provides. The IT director shouldn't answer questions only legal counsel would handle.
• Decisions have consequences — The facilitator adapts the scenario based on participant decisions. If the team decides not to isolate affected systems, the next inject reflects that (more systems encrypted, wider spread). This creates genuine tension and realistic trade-off discussions.
• Time compression — Tabletop time doesn't equal real time. The facilitator can advance the scenario clock by hours or days between injects to cover the full incident lifecycle in a single session.

Format

1. Scenario presentation (10 minutes) — Set the scene. Describe the initial detection or report. Establish what day and time it is, what the team's current workload looks like, and any relevant context.
2. Initial discussion (15–20 minutes) — Participants discuss their immediate response. Who do they call? What's the first action? What information do they need?
3. Inject rounds (20–30 minutes each, 3–4 rounds) — The facilitator introduces new information that changes the situation. Each inject should force new decisions and surface additional response capabilities (or gaps).
4. Debrief (30–45 minutes) — The most important part. Walk through what went well, what didn't, and document specific action items for plan improvement.

Scenario 1: Ransomware Attack on Core Infrastructure

Setup

It's Monday at 6:15 AM. Your SOC monitoring platform fires a high-severity alert: mass file rename activity detected on three file servers. Within minutes, two more alerts trigger — endpoint detection on eight workstations in the accounting department showing known ransomware behavior patterns. Your on-call analyst checks the first file server remotely and finds a ransom note on the desktop: the attacker demands $2 million in Bitcoin within 48 hours, with a threat to publish exfiltrated data if the ransom isn't paid.

Additional context for the facilitator to share during the setup: your organization runs a hybrid Active Directory environment with approximately 2,000 endpoints. You have an EDR solution deployed to 85% of endpoints (the remaining 15% are legacy systems). Your backup infrastructure uses a commercial backup product with daily incremental backups to an on-premises backup server and weekly offsite replication.

Facilitator note: Start the clock. Participants have just been paged. Some may not be physically present — ask them how they join the response. This tests your out-of-hours communication procedures.

Inject 1: Backup Compromise

Timing: Introduce 20 minutes into the exercise (simulated time: Monday 8:00 AM).

The backup team reports that the on-premises backup server shows signs of tampering. The attacker appears to have had access to the environment for approximately three weeks. The most recent clean backup is 19 days old. Offsite replicated backups may also be affected — the replication job has been running normally, which means it may have replicated encrypted or corrupted data.

Discussion questions: How does this change your recovery strategy? Can you validate offsite backup integrity? What's the business impact of losing 19 days of data? Do you have alternative data recovery options (shadow copies, application-level backups, cloud SaaS data)?

Inject 2: Media Contact

Timing: Introduce 40 minutes into the exercise (simulated time: Monday 2:00 PM).

A journalist from a national technology publication contacts your communications department, stating that the threat actor has posted a claim on their leak site, including a sample of exfiltrated files. The journalist asks for comment and indicates they plan to publish the story by end of day.

Discussion questions: Who drafts the media response? What can you confirm or deny at this point? Do you have a holding statement prepared? How do you communicate with employees before they read about it in the news? What are your regulatory notification obligations at this stage — have you submitted the NIS2 24-hour early warning?

Inject 3: Data Exfiltration Confirmed

Timing: Introduce 60 minutes into the exercise (simulated time: Tuesday 10:00 AM).

Your forensic analysis confirms data exfiltration. Network logs show approximately 400 GB of data transferred to an external IP address over the past two weeks, primarily during off-hours. The data includes files from the healthcare client project directory, which may contain protected health information (PHI). You also discover that the attacker accessed the HR file share containing employee records with national identification numbers.

Discussion questions: What data breach notification obligations are triggered? Who contacts the healthcare client? What are the GDPR implications of employee data exposure? Does this change whether you consider paying the ransom? How do you notify affected employees?

Inject 4: Escalation — Data Publication

Timing: Introduce 80 minutes into the exercise (simulated time: Wednesday 9:00 AM).

The threat actor begins publishing files on their leak site. The first batch includes several internal financial documents and a spreadsheet containing healthcare client patient records. Your healthcare client's CISO calls, demanding a full briefing and threatening contract termination. Your CEO asks whether paying the ransom would stop the publication.

Discussion questions: Is paying the ransom at this point likely to stop data publication? What is your legal counsel's advice on ransom payment? How do you manage the client relationship? What's your public communication strategy now that data is public? Do you engage law enforcement? How do you support affected individuals whose data has been published?

Learning Objectives

• Escalation procedures and out-of-hours activation
• Ransomware-specific decision-making (to pay or not to pay)
• Regulatory notification timelines (NIS2 24-hour early warning, GDPR 72-hour notification)
• Communication under pressure (media, clients, employees, regulators)
• Backup validation and recovery planning
• Cross-functional coordination between IT, legal, communications, and executive leadership

Scenario 2: Insider Threat — Data Exfiltration

Setup

It's Thursday at 2:30 PM. Your Data Loss Prevention (DLP) system generates an alert: a senior software engineer has uploaded 2.3 GB of data to a personal Google Drive account over the past 48 hours. A preliminary review shows the uploads include source code repositories, product architecture documents, and a customer list spreadsheet. HR confirms that this employee submitted their resignation three weeks ago and is joining a direct competitor. They have two weeks remaining on their notice period.

Additional context: the employee has been with the company for six years, has a clean disciplinary record, and is well-liked by their team. They have administrative access to several development repositories and have legitimate business reasons to access most of the data that was uploaded.

Facilitator note: This scenario tests the intersection of security, HR, and legal. It's less about technical response and more about coordination, legal boundaries, and preserving evidence for potential litigation. Make sure legal counsel and HR participants are actively engaged.

Inject 1: Manager Awareness

Timing: Introduce 20 minutes into the exercise (simulated time: Thursday 4:00 PM).

When you brief the employee's direct manager, they reveal that they were aware the employee was using personal cloud storage. The manager had approved it verbally six months ago so the employee could "work from home more easily" during a family situation. The manager did not document this approval or inform IT. The manager is concerned and asks you not to "overreact" because the employee is critical to an upcoming product launch.

Discussion questions: Does the manager's verbal approval change the legal or policy situation? How do you handle the manager's request to minimize the response? How do you preserve evidence while respecting the employee's remaining work period? Do you need to investigate whether the manager's conduct constitutes a policy violation?

Inject 2: Legal Complications

Timing: Introduce 40 minutes into the exercise (simulated time: Friday 10:00 AM).

Legal counsel reviews the employee's contract and discovers that the non-compete clause may not be enforceable under the employment laws of the employee's jurisdiction. Additionally, the employee's contract contains a vague intellectual property assignment clause that hasn't been updated since they were hired. Legal advises that a civil case for trade secret theft is possible but would require strong evidence of intentional misappropriation, not just data transfer.

Discussion questions: How does this legal assessment change your response strategy? Do you confront the employee now or continue monitoring? If you continue monitoring, what additional evidence are you trying to gather? What's the risk of the employee destroying evidence if confronted? What's the risk of additional exfiltration if you don't confront them?

Inject 3: Expanded Scope

Timing: Introduce 60 minutes into the exercise (simulated time: Friday 3:00 PM).

Deeper forensic analysis of the employee's workstation reveals that the data exfiltration has been happening for two months, not two days. The DLP system only caught the most recent uploads because the employee changed their upload method (previously using a VPN to bypass DLP inspection). The total data volume exfiltrated is estimated at 15 GB and includes proprietary algorithms, client API keys, and internal security documentation including your vulnerability assessment results.

Discussion questions: The security documentation exposure — does this create additional risk? Do you need to rotate client API keys? Who has the authority to make the termination decision? Do you involve law enforcement at this point? How do you handle the fact that your DLP missed two months of exfiltration? What broader controls need to change?

Inject 4: Employee Confrontation

Timing: Introduce 80 minutes into the exercise (simulated time: Monday 9:00 AM, next week).

The decision has been made to confront the employee. HR and security meet with them. The employee claims everything they uploaded was their own work product created outside of work hours, and that they need it for "reference" at their new position. They become agitated and state that they'll have their lawyer contact the company. After the meeting, the employee is escorted out. Your IT team discovers that the employee's workstation shows evidence of secure file deletion activity from over the weekend — they appear to have deleted files and used a wiping tool on their work laptop.

Discussion questions: Can you recover the wiped data? Should you have imaged the laptop before the confrontation? How do you preserve the chain of custody for potential litigation? What communication goes to the employee's team? How do you prevent similar incidents in the future?

Learning Objectives

• HR/legal/security coordination and decision authority
• Evidence chain of custody for potential litigation
• Insider threat detection and monitoring limitations
• Balancing employee rights with organizational protection
• DLP effectiveness assessment and improvement
• Pre-termination evidence preservation procedures

Scenario 3: Supply Chain Compromise

Setup

It's Wednesday at 11:00 AM. Your threat intelligence feed reports that a widely used IT monitoring agent — one that your organization deploys on all managed endpoints — has pushed a malicious update. The vendor has acknowledged the supply chain compromise on their status page but details are limited. They state that the malicious update was distributed between 2:00 AM and 6:00 AM this morning. Your asset management system shows that 4,000 of your endpoints received the update during the automatic update window overnight.

Additional context: the monitoring agent runs with SYSTEM/root privileges on every endpoint it's installed on. It has network access to communicate with the vendor's cloud management platform. The agent is deployed across your entire infrastructure, including servers in your PCI DSS cardholder data environment, development environments, and executive workstations.

Facilitator note: This scenario tests large-scale containment decisions where every option has significant business impact. The key tension is between security (isolate everything) and operations (isolating 4,000 endpoints halts the business). Push participants to make explicit trade-off decisions.

Inject 1: C2 Communication Detected

Timing: Introduce 20 minutes into the exercise (simulated time: Wednesday 1:00 PM).

Your network monitoring detects that approximately 200 of the 4,000 affected endpoints are actively communicating with an unknown IP range that doesn't match the vendor's legitimate infrastructure. The traffic pattern suggests command-and-control (C2) communication. The other 3,800 endpoints received the update but don't show active C2 traffic — it's unclear whether they're dormant, waiting for activation, or if the malicious payload only activated on systems meeting certain criteria.

Discussion questions: Do you isolate all 4,000 endpoints or only the 200 with confirmed C2? What's the business impact of each option? How do you prioritize which systems to investigate first? Can you block the C2 IP range at the perimeter without isolating endpoints? What's your communication with the affected vendor?

Inject 2: Vendor Uncertainty

Timing: Introduce 40 minutes into the exercise (simulated time: Wednesday 5:00 PM).

The vendor holds an emergency customer call. They confirm the compromise but cannot yet provide clean IOCs, a list of affected versions, or a remediation tool. They estimate 48–72 hours before they can provide a clean update and removal instructions. Meanwhile, they recommend "monitoring for unusual activity." Your PCI DSS QSA contacts you, asking about the potential impact to your cardholder data environment and whether you need to escalate to your acquiring bank.

Discussion questions: Can you wait 48–72 hours for the vendor's remediation? What interim containment can you implement? How do you handle the PCI DSS implications? Do you uninstall the agent entirely (losing monitoring capability)? How do you monitor systems if you remove the monitoring agent? What alternate tools can you deploy?

Inject 3: Active Compromise Confirmed

Timing: Introduce 60 minutes into the exercise (simulated time: Thursday 9:00 AM).

Forensic analysis of one of the 200 actively communicating endpoints reveals that the malicious update deployed a backdoor, conducted Active Directory reconnaissance, and attempted lateral movement to systems without the monitoring agent. You also discover that the attacker has established a secondary persistence mechanism (a scheduled task) that would survive agent removal. A peer organization in your industry publicly discloses that they were breached through the same vector and experienced data exfiltration.

Discussion questions: How do you check all 4,000 endpoints for the secondary persistence mechanism? Does the peer organization's breach change your regulatory notification obligations? How do you communicate with your customers about the potential exposure? Do you bring in external IR support for the scale of the investigation? How do you coordinate with law enforcement and the vendor's investigation?

Inject 4: Business Pressure

Timing: Introduce 80 minutes into the exercise (simulated time: Friday 2:00 PM).

Your CFO reports that critical business operations are severely degraded due to the endpoint isolations. Two major client-facing systems have been offline for 36 hours. A key customer threatens contract penalties for SLA violations. The board requests an emergency briefing on Saturday morning. Your CEO asks: "When will things be back to normal?"

Discussion questions: How do you prioritize system restoration while maintaining security? Can you create a "clean zone" for critical business operations? What's your message to the board? How do you balance the CEO's desire for normalcy with the security team's need for thorough investigation? What's your timeline for full recovery, and how do you communicate uncertainty?

Learning Objectives

• Large-scale containment decision-making and trade-offs
• Third-party/vendor coordination during incidents
• Business continuity under active compromise
• Multi-regulatory compliance (NIS2, PCI DSS, GDPR)
• Communication with board, customers, and regulators during extended incidents
• Recovery prioritization and clean environment establishment

Scenario 4: Cloud Account Compromise

Setup

It's Tuesday at 9:45 AM. AWS GuardDuty generates a high-severity finding: API calls from an unusual geolocation using IAM credentials belonging to a production service account. The calls originated from an IP address in a country where your organization has no operations. CloudTrail logs show reconnaissance activity across all AWS regions — DescribeInstances, ListBuckets, GetCallerIdentity — followed by the launch of 24 large EC2 instances in three regions your organization doesn't normally use.

Additional context: your organization uses AWS as its primary cloud provider. The compromised service account has broad permissions (it was created as a "temporary" solution 18 months ago and never scoped down). Your production environment includes customer-facing applications, databases with PII, and S3 buckets with business-critical data. Your cloud team consists of three engineers who also handle day-to-day operations.

Facilitator note: Cloud incidents require different containment approaches than on-premises incidents. The speed of attacker actions in cloud environments is much higher, and the blast radius of a compromised high-privilege credential is enormous. Push participants on the specifics of cloud containment — they can't just "pull the network cable."

Inject 1: Crypto Mining and Cost Explosion

Timing: Introduce 20 minutes into the exercise (simulated time: Tuesday 11:00 AM).

The 24 EC2 instances launched by the attacker are running cryptocurrency mining software. Your current AWS bill estimate shows €15,000 in charges from the unauthorized instances, and the number is climbing at approximately €2,000 per hour. Additionally, the attacker has launched instances in two additional regions since the initial detection. Your finance team is asking how this will be handled from a budget perspective.

Discussion questions: How do you terminate the mining instances without alerting the attacker to your response (if you want to monitor their activity)? Who has the authority to terminate EC2 instances in production? How do you contact AWS support for billing relief? What's more important right now: stopping the cost bleeding or understanding the full scope of compromise?

Inject 2: Expanded Access

Timing: Introduce 40 minutes into the exercise (simulated time: Tuesday 2:00 PM).

CloudTrail analysis reveals that the attacker has created three additional IAM users with administrative privileges and generated access keys for each. They've also attached an inline policy to an existing role that grants s3:* permissions. Your S3 access logs show an unusual volume of GetObject requests against the bucket containing customer PII — approximately 50 GB of data has been downloaded over the past two hours.

Discussion questions: How do you identify and revoke all attacker-created credentials without revoking legitimate ones? The compromised service account — can you disable it without breaking production? How do you assess which S3 data was accessed? What's your data breach notification obligation for the PII exposure? How do you confirm the attacker hasn't established persistence beyond IAM (Lambda functions, CloudFormation stacks, SSM documents)?

Inject 3: Root Cause Identified

Timing: Introduce 60 minutes into the exercise (simulated time: Wednesday 10:00 AM).

Investigation determines that the service account access keys were exposed in a public GitHub repository. A developer committed a configuration file containing the keys to a personal (not organizational) GitHub repo three days ago. The developer realized the mistake and deleted the commit within an hour, but automated credential scanning bots had already harvested the keys. The developer did not report the exposure to the security team.

Discussion questions: How do you handle the developer's failure to report? What secrets management practices would have prevented this? How do you scan for other exposed credentials in public repositories? What policy changes are needed? How do you verify the keys weren't used before the GitHub exposure (eliminating the possibility the attacker obtained them another way)?

Inject 4: Customer Impact Assessment

Timing: Introduce 80 minutes into the exercise (simulated time: Thursday 3:00 PM).

Your forensic analysis confirms that the S3 bucket containing customer PII was fully exfiltrated. The bucket contained records for approximately 45,000 customers, including names, email addresses, phone numbers, and in some cases, billing addresses and partial payment information. Your legal team needs a definitive scope assessment for breach notification. Your largest enterprise customer (representing 30% of revenue) has a contractual requirement for security incident notification within 24 hours.

Discussion questions: What's your GDPR notification timeline? Who drafts the customer notification letters? How do you determine exactly which records were accessed (versus the entire bucket)? How do you notify the enterprise customer? What remediation and monitoring do you offer affected individuals? What's the long-term impact on customer trust, and how do you address it?

Learning Objectives

• Cloud-specific containment and credential revocation procedures
• IAM remediation in complex cloud environments
• Cost management and AWS support engagement during incidents
• Evidence preservation in cloud environments (CloudTrail, S3 access logs, VPC flow logs)
• Secrets management and developer security practices
• Data breach assessment and notification in cloud contexts

Scenario 5: Business Email Compromise — CEO Fraud

Setup

It's Friday at 1:45 PM. The finance department contacts the security team because something "feels off." Three days ago, the CFO received an email from the CEO requesting an urgent wire transfer of €340,000 to a new vendor for a "confidential acquisition." The email came from the CEO's actual email address, matched their writing style, and referenced a real acquisition the company has been exploring. The CFO approved the transfer, which was processed by the finance team on Wednesday morning. The CEO returned from a two-day offsite event this morning and has no knowledge of the request.

Additional context: the wire transfer was sent to a bank account in Hong Kong. Your organization processes international wire transfers regularly, so this didn't trigger any unusual transaction flags. The finance team's dual-approval process was followed — the CFO's email approval was accepted as one authorization, and the finance director signed the second authorization based on the CFO's instruction.

Facilitator note: Time is the critical factor in this scenario. Every hour that passes reduces the chance of recovering the funds. Push participants to recognize this urgency. Also note: this is a scenario where the security team's first instinct (investigate the email compromise) conflicts with the most urgent action (recover the money). Good facilitators will test whether the team can do both in parallel.

Inject 1: Fund Recovery Attempt

Timing: Introduce 15 minutes into the exercise (simulated time: Friday 2:30 PM).

Your bank informs you that the wire transfer has been processed and the funds have left your account. They can initiate a recall request, but the receiving bank in Hong Kong is under no obligation to comply. The bank advises that successful recalls are most likely within 24–48 hours of the transfer, and your window is rapidly closing since the transfer was processed two days ago. They recommend contacting law enforcement immediately to support the recall request with an official report. Meanwhile, your finance team discovers two additional pending wire transfer requests from the "CEO" totaling €210,000, scheduled for processing on Monday.

Discussion questions: Who contacts the bank? Who files the law enforcement report? How do you stop the pending transfers without alerting the attacker? Can you recover the funds, and what's the realistic probability? What jurisdiction handles this — local police, national cybercrime unit, or Europol?

Inject 2: Email Account Analysis

Timing: Introduce 35 minutes into the exercise (simulated time: Friday 4:00 PM).

Investigation of the CEO's email account reveals that the attacker gained access approximately two weeks ago via a phishing email that harvested the CEO's credentials through a convincing Microsoft 365 login page. The attacker set up three email forwarding rules: one that forwards all emails containing "payment," "transfer," or "wire" to an external Gmail address, one that automatically moves replies from the CFO to a hidden folder, and one that deletes any bounce-back messages. The attacker also registered a new MFA device on the account five days ago.

Discussion questions: How do you secure the CEO's account without the attacker noticing (if you want to monitor their activity)? Or do you lock it down immediately? What other accounts might the attacker have accessed from the CEO's mailbox (board documents, M&A communications, other executive emails)? How do you check if the forwarding rules captured sensitive information over the past two weeks? Should you check all executive email accounts for similar compromise indicators?

Inject 3: Scope Expansion

Timing: Introduce 55 minutes into the exercise (simulated time: Saturday 11:00 AM).

Audit log review reveals that the attacker used the CEO's account to access shared executive mailboxes and SharePoint sites over the past two weeks. They accessed board meeting minutes, the company's M&A pipeline document, salary data for all executives, and the draft annual financial report (not yet publicly released). The attacker also sent three emails from the CEO's account to business partners, requesting updated banking details for "a change in our primary account." Two partners have confirmed they received the emails; one has already updated their records with the fraudulent banking details.

Discussion questions: How do you notify business partners without causing panic? What's the regulatory implication of the accessed financial data (insider trading concerns)? How do you assess whether any confidential board information has been leveraged? The partner who updated banking details — what's their exposure, and what's your obligation to them? How do you communicate the full scope to your board?

Inject 4: Attribution and Ongoing Risk

Timing: Introduce 75 minutes into the exercise (simulated time: Monday 9:00 AM).

Law enforcement contacts you with an update: the Hong Kong bank has frozen a portion of the funds (€120,000 of the original €340,000), but the remainder has been moved to additional accounts. The investigation links your incident to a BEC group that has targeted 15 other European companies in the past six months. Law enforcement asks for full access to your email logs and requests that you not reset certain credentials yet to avoid tipping off the attackers in their broader investigation. Meanwhile, your insurance company asks for a detailed timeline and evidence preservation attestation to begin processing the fraud claim.

Discussion questions: How do you balance law enforcement's request to delay remediation with your need to secure your environment? What does your cyber insurance policy cover for BEC losses? How do you coordinate with the 15 other targeted companies? What process improvements will prevent this from recurring — not just technical controls, but approval workflow changes? How do you communicate the partial fund recovery to your board?

Learning Objectives

• Financial fraud response and time-critical fund recovery
• Email account compromise investigation and remediation
• Law enforcement coordination and evidence sharing
• Business process vulnerabilities (approval workflows, identity verification)
• Executive communication and board briefing during financial loss incidents
• Insurance claims process and evidence preservation requirements

Running Your Debrief

The debrief is where the real value of a tabletop exercise is captured. A well-facilitated scenario with a poor debrief produces memories; a well-facilitated debrief produces improvements. Allocate at least 30 minutes, ideally 45.

Debrief Structure

1. What went well — Start positive. Identify decisions that were made quickly and correctly, communication that flowed smoothly, and procedures that worked as designed. Reinforcing effective behavior is as important as identifying gaps.
2. What didn't go well — Identify points of confusion, delayed decisions, missing information, communication breakdowns, and procedures that didn't exist or weren't followed. Be specific — "communication was poor" is not actionable. "We didn't know who was authorized to approve a ransom payment" is.
3. Surprises — What did participants learn that they didn't know before? Were there assumptions that proved incorrect? Were there gaps that nobody anticipated?
4. Action items — Every gap should produce a specific, assigned, time-bound action item. "Update the IR plan" is not an action item. "Add ransomware payment decision authority to Section 4.2 of the IR plan, assigned to CISO, due by April 15" is.

Scoring Dimensions

For organizations that want to track improvement over time, score each exercise across these dimensions using a 1–5 scale:

• Detection speed — How quickly did the team recognize the nature and scope of the incident?
• Decision quality — Were containment and escalation decisions appropriate for the situation?
• Communication effectiveness — Did information flow to the right people at the right time?
• Procedure adherence — Did the team follow existing IR procedures, or did they improvise?
• Documentation quality — Was the incident properly documented throughout the response?
• Regulatory awareness — Did the team identify and act on regulatory notification obligations?

Track scores across exercises to measure improvement. Share results with leadership to demonstrate the value of the program and justify continued investment in IR training and capability development.